White House Directive Aims to Standardize Software Security

In response to high-profile cyberattacks, the U.S. White House announced stringent new cybersecurity guidelines to strengthen American cyberdefenses. Set to roll out over the next year, federal agencies, their private-sector partners and software vendors must begin to prepare their software and services to comply, including mobile apps.

Released on May 12, 2021, the Executive Order on Improving the Nation’s Cybersecurity mandates a set of software security standards in software development, cloud security and reporting. This sweeping initiative will have a tremendous impact on the entire ecosystem of agencies, software vendors and service providers that serve the federal government with trickle down effect on all software globally.

As noted in the order, “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” The administration seeks to avoid cybersecurity incidents like the recent SolarWinds, Accellion and Microsoft Exchange Server attacks as well as attacks on critical infrastructure such as the recent Colonial Pipeline breach, a ransomware attack that shut down 5,500 miles of refined gasoline and jet fuel in the Eastern United States.

Software developers, the federal agencies that procure apps for use, and the federal agencies that allow individuals to Bring-Your-Own-Apps (BYOA) via Bring-Your-Own-Device (BYOD) programs must now prepare to secure and protect all mobile, web and desktop applications from vulnerabilities.  The White House directive has three key impacts on software security development, testing and standards:

• Software developers must provide a Software Bill of Materials.
• Software developers must employ automated tools or comparable processes that check for known and potential vulnerabilities and remediate them prior to product, version or update release.
• NIST will publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing such as code review tools, static and dynamic analysis, software composition analysis and penetration testing.
• Within six months, agencies and partners must adopt multi-factor authentication and encryption for data at rest and in transit.
• Within 75 days, agencies shall establish Continuous Diagnostics and Mitigation Program (CDM) with CISA to ensure object level data (which includes mobile apps) are available and accessible to CISA.

Software developers must employ automated tools or comparable processes that check for known and potential vulnerabilities and remediate them prior to product, version or update release.

The Mobile Attack Vector

Mobile cyberattacks are clearly on the rise. NowSecure has tracked hundreds of mobile app breaches in the past few years impacting millions of users including Apple iOS Mail, Facebook, Samsung, Slack, Twitter, Under Armour, Walgreens and more. Attackers continue to get more creative, from attacking mobile software supply chains to harvesting and exploiting insecure mobile apps in public app stores. (Learn more about the Mobile MITRE Mobile ATT&CK Surface here.)

In many cases companies fail to publicly disclose cyberattacks for fear of damage to brand reputation, shareholder value or hefty regulatory fines. The executive order outlines a plan for the collection and sharing of data among agencies and suppliers related to cyber incidents.

The United States will establish a Cybersecurity Safety Review Board similar to the National Transportation and Safety Board to investigate major breaches and will mandate reporting of severe cyberattacks within three days of occurrence. 

Executive Order Impact

The call for national cybersecurity standards on software and hardware provided to the federal government is a long-overdue game changer in U.S. cybersecurity. Through the massive scale of the federal contracting process, the expectation is these standards will eventually be adopted across the private sector. 

All companies — manufacturers, service providers, communications providers and more — who do organization with the federal government must now improve their cybersecurity posture, not just software developers themselves.  Ultimately all organizationes who work with federal agencies should be aware and prepare for the new standards and regulations.

The order’s impact could be significant, with trillions of procurement dollars at stake. When the European Union’s General Data Protection Regulation (GDPR) went into effect in 2016, it was focused on EU citizens, but global companies found that to sell into the EU they had to comply, effectively making it a global standard. The power of GDPR lies in financial enforcement. Last year GDPR fines rose 40% totaling $191.5 million and over the years have included mobile app breaches as was the case with British Airways.

Driving Mobile AppSec Standards 

NowSecure stands ready to assist all stakeholders at this critical time. NowSecure has been working with developer and security communities for more than a decade to help define mobile application security standards and craft testing programs/software such as OWASP, NIAP and ioXt .

OWASP is often considered the most widely recognized security standards organization in the security community. NowSecure has worked with the OWASP Mobile Application Security Project from the initial OWASP MASVS to the more recent OWASP MASVS and MASTG. (Learn more in our Manager’s Guide to the OWASP Mobile Application Security Project reference.)

The U.S. Department of Defense and other federal agencies must ensure their mobile apps comply with the National Information Assurance Partnership (NIAP) security requirements. NIAP validates the security of commercial hardware and software used in national security systems. NowSecure built the first NIAP standard certification for mobile apps. 

NowSecure has also been at the forefront of driving IoT-connected mobile app security standards working with the ioXt Alliance. In partnership with technology vendors such as Amazon, Google, IBM, McAfee, SonicWALL and IoT manufacturers such as Crestron, Honeywell, Leviton, Motorola and Schneider Electric, NowSecure is an Authorized ioXt Certification Lab, helping create the standard and delivering the first automated certification solution for IoT-connected mobile apps.

NowSecure partners with mobile software developers to ensure the security of their mobile apps meet the standards of commercial and federal agencies alike. The company works with thousands of mobile app developers and numerous federal agencies such as the U.S. Department of Defense, Department of Homeland Security, Department of Justice and the U.S. Marshals Service to secure their mobile DevSecOps pipelines and monitor their third-party mobile app supply chains. We look forward to working with the regulators, federal agencies and software developers alike to bring practical, effective standards for mobile app security to benefit all.

Contact us for more detail on the new White House cybersecurity standards and current federal agency and Congressional briefings or sign up for a free mobile app security test to check your readiness today.